def csrf_attack_body(url, method, headers, body, csrf_param, scanid):
tmp_headers = {}
http_status_code, response_size = csrf_request(url, method, headers, body)
if csrf_param is not None:
csrf_param_value = generate_csrf_token(str(body['csrf_param']))
body['csrf_param'] = csrf_param_value
csrf_req_body = req.api_request(url, method, headers, body)
if str(csrf_req_body.status_code)[0] == '4' or \
str(csrf_req_body.status_code)[0] == '5':
return
if csrf_req_body.status_code == http_status_code:
if len(csrf_req_body.text) == response_size:
# Testing for JSON based CSRF - Blind CSRF
tmp_headers.update(headers)
tmp_headers['Content-Type'] = 'text/plain'
json_csrf = req.api_request(url, method, tmp_headers, body)
if str(json_csrf.status_code)[0] == '4' or \
str(json_csrf.status_code)[0] == '5':
# Application is validating content-type header.
# Only way to bypass is using flash based technique.
impact = "Medium"
else:
impact = "High"
headers = tmp_headers
print "%s[-]{0} is vulnerable to CSRF attack%s".format(url) % (
api_logger.R, api_logger.W)
attack_result = {"id": 6, "scanid": scanid, "url": url,
"alert": "CSRF", "impact": impact,
"req_headers": headers, "req_body": body,
"res_headers": json_csrf.headers,
"res_body": json_csrf.text}
dbupdate.insert_record(attack_result)
def xss_get_url(url,method,headers,body,scanid=None):
# Check for URL based XSS.
# Ex: http://localhost/<payload>, http://localhost//?randomparam=<payload>
result = ''
parsed_url = ''
xss_payloads = fetch_xss_payload()
uri_check_list = ['?', '&', '=', '%3F', '%26', '%3D']
for uri_list in uri_check_list:
if uri_list in url:
# Parse domain name from URI.
parsed_url = urlparse.urlparse(url).scheme+"://"+urlparse.urlparse(url).netloc+urlparse.urlparse(url).path
break
if parsed_url == '':
parsed_url = url
for payload in xss_payloads:
decoded_payload = xss_payload_decode(payload)
xss_request_url = req.api_request(parsed_url+'/'+payload,"GET",headers)
if result is not True:
if xss_request_url.text.find(decoded_payload) != -1:
impact = check_xss_impact(xss_request_url.headers)
attack_result = { "id" : 11, "scanid" : scanid, "url" : url, "alert": "Cross Site Scripting", "impact": impact, "req_headers": headers, "req_body":body, "res_headers": xss_request_url.headers ,"res_body": xss_request_url.text}
dbupdate.insert_record(attack_result)
result = True
xss_request_uri = req.api_request(parsed_url+'/?test='+payload,"GET",headers)
if xss_request_uri.text.find(decoded_payload) != -1:
impact = check_xss_impact(xss_request_uri.headers)
logs.logging.info("%s is vulnerable to XSS",url)
print "%s[{0}] {1} is vulnerable to XSS%s".format(impact,url)% (api_logger.G, api_logger.W)
attack_result = { "id" : 11, "scanid" : scanid, "url" : url, "alert": "Cross Site Scripting", "impact": impact, "req_headers": headers, "req_body":body, "res_headers": xss_request_url.headers ,"res_body": xss_request_url.text}
dbupdate.insert_record(attack_result)
def csrf_attack_header(url, method, headers, body, csrf_header, csrf_test_type,
scanid):
# This function performs CSRF attack with various techniques.
if csrf_test_type == "header":
updated_headers = headers.copy()
http_status_code, response_size = csrf_request(url, method, headers,
body)
# Delete the CSRF header and send the request
updated_headers = csrf_header_remove(updated_headers, csrf_header)
csrf_req = req.api_request(url, method, updated_headers, body)
if (str(csrf_req.status_code)[0] == '4' or
str(csrf_req.status_code)[0] == '5'):
return
if csrf_req.status_code == http_status_code:
if len(csrf_req.text) == response_size:
print "%s[-]{0} is vulnerable to CSRF attack%s" \
.format(url) % (api_logger.R, api_logger.W)
attack_result = {"id": 6, "scanid": scanid, "url": url,
"alert": "CSRF", "impact": "High",
"req_headers": headers,
"res_headers": csrf_req.headers,
"res_body": csrf_req.text}
dbupdate.insert_record(attack_result)
return
try:
csrf_header_value = headers[csrf_header]
csrf_header_value = generate_csrf_token(str(csrf_header_value))
# Updating CSRF value. Ex X-XSRF-token : xyz
headers[csrf_header] = csrf_header_value
new_csrf_req = req.api_request(url, method, updated_headers, body)
if (str(csrf_req.status_code)[0] == '4' or
str(csrf_req.status_code)[0] == '5'):
return
if csrf_req.status_code == http_status_code:
if len(csrf_req.text) == response_size:
# Check for CORS
result = check_custom_header(url, csrf_header)
if result:
print "%s[-]{0} is vulnerable to CSRF attack%s".format(
url) % (api_logger.R, api_logger.W)
attack_result = {"id": 6, "scanid": scanid, "url": url,
"alert": "CSRF", "impact": "High",
"req_headers": headers,
"req_body": body,
"res_headers": csrf_req.headers,
"res_body": csrf_req.text}
dbupdate.insert_record(attack_result)
except Exception:
return
def start_scan(task_id):
# Starting a new scan
data = {}
scan_start_url = base_url + "/scan/" + task_id + "/start"
scan_start_resp = req.api_request(scan_start_url, "POST", api_header, data)
if scan_start_resp.status_code == 200:
return json.loads(scan_start_resp.text)['success']
def xss_post_method(url,method,headers,body,scanid=None):
# This function checks XSS through POST method.
temp_body = {}
post_vul_param = ''
db_update = ''
for key,value in body.items():
xss_payloads = fetch_xss_payload()
for payload in xss_payloads:
temp_body.update(body)
temp_body[key] = payload
xss_post_request = req.api_request(url, "POST", headers, temp_body)
decoded_payload = xss_payload_decode(payload)
if xss_post_request.text.find(decoded_payload) != -1:
impact = check_xss_impact(xss_post_request.headers)
if db_update is not True:
attack_result = { "id" : 11, "scanid" : scanid, "url" : url, "alert": "Cross Site Scripting", "impact": impact, "req_headers": headers, "req_body":temp_body, "res_headers": xss_post_request.headers ,"res_body": xss_post_request.text}
dbupdate.insert_record(attack_result)
db_update = True
post_vul_param += key
break
else:
if post_vul_param == '':
post_vul_param += key
else:
post_vul_param += ','+key
break
if post_vul_param:
# Update all vulnerable params to db.
logs.logging.info("%s Vulnerable Params:",post_vul_param)
dbupdate.update_record({"scanid": scanid}, {"$set" : {"scan_data" : post_vul_param+" are vulnerable to XSS"}})
def cors_main(url, method, headers, body, scanid=None):
temp_headers = {}
temp_headers.update(headers)
origin_headers = generate_origin(url)
logs.logging.info("List of origin headers: %s", origin_headers)
for origin in origin_headers:
origin_header = {"origin": origin}
temp_headers.update(origin_header)
if (method.upper() == 'GET' or method.upper() == 'POST'
or method.upper() == "PUT"):
"""
If request method is POST then browser usually
sends preflight request
"""
option_response = req.api_request(url, "OPTIONS", temp_headers)
result = cors_check(origin, option_response.headers)
if result:
print "%s[+]{0} is vulnerable to cross domain attack %s "\
.format(url) % (api_logger.G, api_logger.W)
attack_result = {
"id": 1,
"scanid": scanid,
"url": url,
"alert": "CORS Misconfiguration",
"impact": result['impact'],
"req_headers": temp_headers,
"req_body": body,
"res_headers": option_response.headers,
"res_body": "NA"
}
dbupdate.insert_record(attack_result)
break
logs.logging.info("Scan completed for cross domain attack: %s", url)
def fuzz_url(url, method, headers, body, scanid):
# Fuzzing target URL with different params.
parsed_url = urlparse.urlparse(url)
target_domain = parsed_url.scheme + "://" + parsed_url.netloc + "/"
redirect_payload = fetch_open_redirect_payload()
for payload in redirect_payload:
try:
target_url = target_domain + payload.replace(
"{target}", redirection_url)
except:
target_url = target_domain + payload
fuzz_req = req.api_request(target_url, "GET", headers)
if str(fuzz_req.status_code)[0] == '3':
if fuzz_req.headers['Location'].startswith(
redirection_url) is True:
print "%s[ Medium ] {0} is vulnerable to open redirection%s".format(
url) % (api_logger.Y, api_logger.W)
logs.logging.info("%s is vulnerable to open redirection", url)
attack_result = {
"id": 12,
"scanid": scanid,
"url": target_url,
"alert": "Open redirection",
"impact": "Medium",
"req_headers": headers,
"req_body": body,
"res_headers": fuzz_req.headers,
"res_body": "NA"
}
dbupdate.insert_record(attack_result)
return
def brute_force(url,method,headers,body,attack_params,scanid):
attack_result = {}
failed_set = ['exceed','captcha','too many','rate limit','Maximum login']
if len(attack_params) == 1:
# attack_params[0] is a first value from list Ex Pin, password
param_value = body[attack_params[0]] # param_value is a value of param. Example: 1234
if type(param_value) == int:
length = len(str(param_value))
brute_list = generate_list(length,'int')
elif type(param_value) == str or type(param_value) == unicode:
length = len(param_value)
brute_list = generate_list(length,'str')
# Starting brute force attack.
count = 0
if brute_list is not None:
for value in brute_list:
# Mdofiying a json data and update the dictionary.
# Example:{"Username":"******",password:"******"}
# {"Username":"******",password:"******"}
body[attack_params[0]] = value
auth_type = get_value('config.property','login','auth_type')
if auth_type == "cookie":
try:
del headers['Cookie']
except:
pass
brute_request = req.api_request(url,method,headers,body)
if brute_request is not None:
if count == 0:
http_len = len(brute_request.text)
count += count
if len(brute_request.text) == http_len:
if str(brute_request.status_code)[0] == '2' or str(brute_request.status_code)[0] == '4':
for failed_name in failed_set:
if failed_name in brute_request.text:
# Brute force protection detected :-(
result = False
break
else:
result = True
if result is True:
attack_result = {
"id" : 7,
"scanid":scanid,
"url" : url,
"alert": "Missing Rate limit",
"impact": "High",
"req_headers": headers,
"req_body" : body,
"res_headers": brute_request.headers,
"res_body" : brute_request.text
}
return attack_result
def crlf_post_method(uri, method, headers, body, scanid=None):
# This function checks CRLF through POST method.
temp_body = {}
for key, value in body.items():
crlf_payloads = fetch_crlf_payload()
for payload in crlf_payloads:
temp_body.update(body)
temp_body[key] = payload
crlf_post_request = req.api_request(uri, "POST", headers,
temp_body)
for name in crlf_post_request.headers:
if "CRLF-Test" in name:
attack_result = {
"id": 13,
"scanid": scanid,
"url": uri,
"alert": "CRLF injection",
"impact": "High",
"req_headers": headers,
"req_body": temp_body,
"res_headers": crlf_post_request.headers,
"res_body": crlf_post_request.text
}
dbupdate.insert_record(attack_result)
print "[+]{0} is vulnerable to CRLF injection".format(uri)
return
def crlf_get_uri_method(uri, method, headers, scanid=None):
# This function checks CRLF through GET URI method.
par_key = {}
url_query = urlparse.urlparse(uri)
parsed_query = urlparse.parse_qs(url_query.query)
for key, value in parsed_query.items():
crlf_payloads = fetch_crlf_payload()
for payload in crlf_payloads:
par_key.update(parsed_query)
par_key[key] = payload
parsed_uri = urlparse.urlparse(
uri).scheme + "://" + urlparse.urlparse(
uri).netloc + urlparse.urlparse(
uri).path + "?" + urlparse.urlparse(uri).query.replace(
value[0], payload)
crlf_get_method = req.api_request(parsed_uri, "GET", headers)
for name in crlf_get_method.headers:
if "CRLF-Test" in name:
attack_result = {
"id": 13,
"scanid": scanid,
"url": parsed_uri,
"alert": "CRLF injection",
"impact": "High",
"req_headers": headers,
"req_body": "NA",
"res_headers": crlf_get_method.headers,
"res_body": crlf_get_method.text
}
dbupdate.insert_record(attack_result)
print "[+]{0} is vulnerable to CRLF injection".format(
parsed_uri)
return
def csrf_request(url, method, headers, body):
# Send orginal request without removing CSRF header or param.
try:
http_request = req.api_request(url, method, headers, body)
return http_request.status_code, len(http_request.text)
except Exception as e:
sys.exit(1)
def csrf_attack_body(url,method,headers,body,csrf_param,scanid):
http_status_code, response_size = csrf_request(url,method,headers,body)
csrf_param_value = generate_csrf_token(str(body['csrf_param']))
body['csrf_param'] = csrf_param_value
csrf_req_body = req.api_request(url,method,headers,body)
if str(csrf_req_body.status_code)[0] == '4' or str(csrf_req_body.status_code)[0] == '5':
return
if csrf_req_body.status_code == http_status_code:
if len(csrf_req_body.text) == response_size:
# Testing for JSON based CSRF - Blind CSRF
headers['Content-Type'] = 'text/plain'
json_csrf = req.api_request(url,method,headers,body)
if str(csrf_req_body.status_code)[0] == '4' or str(csrf_req_body.status_code)[0] == '5':
return
else:
print "%s[-]{0} is vulnerable to CSRF attack%s".format(url)% (api_logger.R, api_logger.W)
attack_result = { "id" : 6, "scanid":scanid, "url" : url, "alert": "Blind CSRF", "impact": "High", "req_headers": headers, "req_body":body, "res_headers": "NA"}
dbupdate.insert_record(attack_result)
def set_options_list(url, method, headers, body, task_id):
# Setting up url,headers, body for scan
options_set_url = base_url + "/option/" + task_id + "/set"
data = {}
data['url'], data['method'], data['headers'] = url, method, headers
if method.upper() == 'POST' or method.upper() == 'PUT':
data['data'] = body
options_list = req.api_request(options_set_url, "POST", api_header, data)
if options_list.status_code == 200:
return json.loads(options_list.text)['success']
def show_scan_data(task_id):
scan_data_url = base_url + "/scan/" + task_id + "/data"
scan_start_resp = req.api_request(scan_data_url, "GET", api_header)
global scan_data
scan_data = json.loads(scan_start_resp.text)['data']
if scan_data:
logs.logging.info("API is vulnerable to sql injection")
return True
else:
logs.logging.info("API is not vulnerable to sql injection")
def session_fixation(url, method, headers, body, scanid):
# This function deals with checking session fixation issue.
attack_result = {}
login_result = get_value('config.property', 'login', 'loginresult')
logout_result = get_value('config.property', 'logout', 'logoutresult')
if login_result == 'Y' and logout_result == 'Y':
login_data, logout_data = get_authdata()
if url == login_data['loginurl']:
logs.logging.info("Checking for Sesion fixation: %s", url)
url, method, headers, body = (logout_data['logouturl'],
logout_data['logoutmethod'],
logout_data['logoutheaders'],
logout_data['logoutbody'])
logout_headers, auth_old = add_authheader(headers)
try:
logout_body = ast.literal_eval(base64.b64decode(body))
except:
logout_body = None
logs.logging.info("Logout request %s %s %s", url, logout_headers,
logout_body)
logout_req = req.api_request(url, method, logout_headers,
logout_body)
if logout_req is None or str(logout_req.status_code)[0] == '4' or \
str(logout_req.status_code)[0] == '5':
print "%s[!]Failed to logout. Session fixation attack won't" \
" be tested. Check log file for more information.%s"\
% (api_logger.Y, api_logger.W)
return
# Try to relogin and check if the application is serving the
# previous session
login_url, login_method, login_headers, login_body = (
login_data['loginurl'], login_data['loginmethod'],
login_data['loginheaders'], login_data['loginbody'])
logs.logging.info("Login request %s %s %s", url, headers, body)
login_req = api_login.fetch_logintoken(
login_url, login_method, ast.literal_eval(login_headers),
ast.literal_eval(login_body))
if login_req is True:
logs.logging.info("Relogin Successful")
auth_new = get_value('config.property', 'login', 'auth')
if auth_old == auth_new:
attack_result.update({
"id": 5,
"scanid": scanid,
"url": login_url,
"alert": "Session Fixation",
"impact": "Medium",
"req_headers": login_headers,
"req_body": req_body,
"res_headers": "NA",
"res_body": "NA"
})
dbupdate.insert_record(attack_result)
def scan_status(task_id):
# This function deals checking scan status and also check for vulnerability.
status_url = base_url + "/scan/" + task_id + "/status"
while True:
status_url_resp = req.api_request(status_url, "GET", api_header)
if json.loads(status_url_resp.text)['status'] == "terminated":
result = show_scan_data(task_id)
return result
else:
# Wait for 10 second and check the status again
time.sleep(10)
def xss_http_headers(url,method,headers,body,scanid=None):
# This function checks different header based XSS.
# XSS via Host header (Limited to IE)
# Reference : http://sagarpopat.in/2017/03/06/yahooxss/
temp_headers = {}
temp_headers.update(headers)
xss_payloads = fetch_xss_payload()
for payload in xss_payloads:
parse_domain = urlparse.urlparse(url).netloc
host_header = {"Host" : parse_domain + '/' + payload}
temp_headers.update(host_header)
host_header_xss = req.api_request(url, "GET", temp_headers)
try:
decoded_payload = xss_payload_decode(payload)
if host_header_xss.text.find(decoded_payload) != -1:
impact = "Low"
logs.logging.info("%s is vulnerable to XSS",url)
print "%s[{0}] {1} is vulnerable to XSS%s".format(impact,url)% (api_logger.G, api_logger.W)
attack_result = { "id" : 11, "scanid" : scanid, "url" : url, "alert": "Cross Site Scripting", "impact": impact, "req_headers": headers, "req_body":body, "res_headers": host_header_xss.headers ,"res_body": host_header_xss.text}
dbupdate.insert_record(attack_result)
break
except:
logs.logging.info("Failed to test XSS via Host header:%s",url)
return
# Test for Referer based XSS
for payload in xss_payloads:
referer_header_value = 'https://github.com?test='+payload
referer_header = {"Referer" : referer_header_value}
temp_headers.update(referer_header)
ref_header_xss = req.api_request(url, "GET", temp_headers)
decoded_payload = xss_payload_decode(payload)
if ref_header_xss.text.find(decoded_payload) != -1:
impact = check_xss_impact(temp_headers)
logs.logging.info("%s is vulnerable to XSS",url)
print "%s[{0}] {1} is vulnerable to XSS via referer header%s".format(impact,url)% (api_logger.G, api_logger.W)
attack_result = { "id" : 11, "scanid" : scanid, "url" : url, "alert": "Cross Site Scripting via referer header", "impact": impact, "req_headers": temp_headers, "req_body":body, "res_headers": ref_header_xss.headers ,"res_body": ref_header_xss.text}
dbupdate.insert_record(attack_result)
return
def xss_get_uri(url,method,headers,body,scanid=None):
# This function checks for URI based XSS.
# http://localhost/?firstname=<payload>&lastname=<payload>
db_update = ''
vul_param = ''
url_query = urlparse.urlparse(url)
parsed_query = urlparse.parse_qs(url_query.query)
if parsed_query:
for key,value in parsed_query.items():
try:
result = ''
logs.logging.info("GET param for xss : %s",key)
xss_payloads = fetch_xss_payload()
for payload in xss_payloads:
# check for URI based XSS
# Example : http://localhost/?firstname=<payload>&lastname=<payload>
if result is not True:
parsed_url = urlparse.urlparse(url)
xss_url = parsed_url.scheme+"://"+parsed_url.netloc+parsed_url.path+"?"+parsed_url.query.replace(value[0], payload)
xss_request = req.api_request(xss_url,"GET",headers)
decoded_payload = xss_payload_decode(payload)
if xss_request.text.find(decoded_payload) != -1:
impact = check_xss_impact(xss_request.headers)
logs.logging.info("%s is vulnerable to XSS",url)
print "%s[{0}] {1} is vulnerable to XSS%s".format(impact,url)% (api_logger.G, api_logger.W)
if db_update is not True:
attack_result = { "id" : 11, "scanid" : scanid, "url" : xss_url, "alert": "Cross Site Scripting", "impact": impact, "req_headers": headers, "req_body":body, "res_headers": xss_request.headers ,"res_body": xss_request.text}
dbupdate.insert_record(attack_result)
result,db_update = True,True
vul_param += key
else:
result = True
if vul_param == '':
vul_param += key
else:
vul_param += ','+key
except:
pass
else:
logs.logging.info("XSS: No GET param found!")
if vul_param:
# Update all vulnerable params to db.
logs.logging.info("%s Vulnerable Params:",vul_param)
dbupdate.update_record({"scanid": scanid}, {"$set" : {"scan_data" : vul_param+" parameters are vulnerable to XSS"}})
def security_headers_missing(url, method, headers, body, scan_id=None):
# checks if a security header is missing
resp = req.api_request(url, method, headers, body)
res_headers = resp.headers
res_body = resp.text
cookies = resp.cookies
csp_check(url, method, headers, body, scan_id, res_headers, res_body)
xss_protection_check(url, method, headers, body, scan_id, res_headers,
res_body)
x_frame_options_check(url, method, headers, body, scan_id, res_headers,
res_body)
x_content_type_options_check(url, method, headers, body, scan_id,
res_headers, res_body)
hsts_check(url, method, headers, body, scan_id, res_headers, res_body)
cookies_check(cookies, url, method, headers, body, scan_id, res_headers,
res_body)
check_version_disclosure(url, method, headers, body, scan_id, res_headers,
res_body)
def crlf_get_url_method(uri, headers, scanid=None):
# This function checks CRLF through GET URL method.
crlf_payloads = fetch_crlf_payload()
for payload in crlf_payloads:
parsed_uri = urlparse.urlparse(uri).scheme + "://" + urlparse.urlparse(
uri).netloc + urlparse.urlparse(uri).path + "/" + payload
crlf_get_method = req.api_request(parsed_uri, "GET", headers)
for name in crlf_get_method.headers:
if "CRLF-Test" in name:
attack_result = {"id": 13, "scanid": scanid, "url": parsed_uri,
"alert": "CRLF injection", "impact": "High",
"req_headers": headers, "req_body": "NA",
"res_headers": crlf_get_method.headers,
"res_body": crlf_get_method.text}
dbupdate.insert_record(attack_result)
print "[+]{0} is vulnerable to CRLF injection".format(
parsed_uri)
return
def redirection_get_uri(url, method, headers, body, scanid):
# This function checks for URI based redirection.
# Ex: http://localhost?url=<redirection URL>
url_query = urlparse.urlparse(url)
parsed_query = urlparse.parse_qs(url_query.query)
for key, value in parsed_query.items():
redirect_name = fetch_redirection_names()
for name in redirect_name:
if name == key:
redirection_payload = fetch_open_redirect_payload()
for payload in redirection_payload:
if '=' in payload:
payload = payload[payload.find('=') + 1:].replace(
'{target}', redirection_url)
else:
payload = payload.replace('{target}', redirection_url)
parsed_url = urlparse.urlparse(url)
redirect_url = (
parsed_url.scheme + "://" + parsed_url.netloc +
parsed_url.path + "/?" +
parsed_url.query.replace(value[0], payload))
fuzz_req = req.api_request(redirect_url, "GET", headers)
if str(fuzz_req.status_code)[0] == '3':
if fuzz_req.headers['Location'].startswith(
redirection_url) is True:
print "%s[Medium] {0} is vulnerable to open " \
"redirection%s".format(url)\
% (api_logger.Y, api_logger.W)
logs.logging.info(
"%s is vulnerable to open redirection",
redirect_url)
attack_result = {
"id": 12,
"scanid": scanid,
"url": redirect_url,
"alert": "Open redirection",
"impact": "Medium",
"req_headers": headers,
"req_body": body,
"res_headers": fuzz_req.headers,
"res_body": "NA"
}
dbupdate.insert_record(attack_result)
return
def redirection_post_method(url, method, headers, body, scanid):
# Check for POST based open redirection.
temp_body = {}
for key, value in body.items():
param_names = fetch_redirection_names()
for name in param_names:
if key == name:
payloads = fetch_open_redirect_payload()
for payload in payloads:
if "=" in payload:
payload = payload[payload.find('=') + 1:].replace(
'{target}', redirection_url)
else:
payload = payload.replace('{target}', redirection_url)
temp_body.update(body)
temp_body[key] = payload
post_req = req.api_request(url, "POST", headers, temp_body)
if str(post_req.status_code)[0] == '3':
if (post_req.headers['Location'].startswith(
redirection_url) is True):
print "%s[Medium] {0} is vulnerable to open " \
"redirection%s".format(url)\
% (api_logger.Y, api_logger.W)
logs.logging.info(
"%s is vulnerable to open redirection", url)
attack_result = {
"id": 12,
"scanid": scanid,
"url": url,
"alert": "Open redirection",
"impact": "Medium",
"req_headers": headers,
"req_body": body,
"res_headers": post_req.headers,
"res_body": "NA"
}
dbupdate.insert_record(attack_result)
return
def jwt_none(url,
method,
headers,
body,
jwt_loc,
jwt_key,
jwt_token,
jwt_data,
scanid=None):
#Check for algo None vulnerability.
encoded_jwt = jwt.encode(jwt_data, '', algorithm='none')
if jwt_loc == "url":
url = url.replace(value[0], encoded_jwt)
if jwt_loc == "header":
headers[key] = encoded_jwt
jwt_request = req.api_request(url, method, headers, body)
if str(jwt_request.status_code)[0] == '5' or str(
jwt_request.status_code)[0] == '4':
pass
else:
print(
"%s[+]API is vulnearalbe to JWT none algo vulnerability%s".format(
url) % (api_logger.R, api_logger.W))
attack_result = {
"id": 8,
"scanid": scanid,
"url": url,
"alert": "JWT none Algorithm vulnerability",
"impact": "High",
"req_headers": headers,
"req_body": body,
"res_headers": jwt_request.headers,
"res_body": jwt_request.text
}
dbupdate.insert_record(attack_result)
return True
def get_new_task_id():
# Create a new task for scan
new_task_url = base_url + "/task/new"
new_task = req.api_request(new_task_url, "GET", api_header)
if new_task.status_code == 200:
return json.loads(new_task.text)['taskid']
def auth_check(url, method, headers, body, scanid=None):
# This function removes auth header and check if server is accepting request without it
temp_headers = {}
temp_headers.update(headers)
try:
attack_result = {}
auth_headers = fetch_auth_config("auth_headers")
auth_fail = fetch_auth_config("auth_fail")
session_headers = headers
for auth_header in auth_headers:
for key, value in temp_headers.items():
if key.lower() == auth_header.lower():
del temp_headers[auth_header]
updated_headers = temp_headers
logs.logging.info("Auth header is %s", auth_header)
auth_request = req.api_request(url, method,
updated_headers, body)
if auth_request.status_code == 401:
logs.logging.info(
"API requires authentication hence it's not vulnerable %s",
url)
return
elif auth_request.status_code == 200 or auth_request.status_code == 400:
# Check for false positive
for fail_name in auth_fail:
if fail_name.lower() in auth_request.content.lower(
):
logs.logging.info(
"API requires authentication hence it's not vulnerable %s",
url)
else:
attack_result.update({
"id":
3,
"scanid":
scanid,
"url":
url,
"alert":
"Broken Authentication and session management",
"impact":
"High",
"req_headers":
updated_headers,
"req_body":
body,
"res_headers":
auth_request.headers,
"res_body":
auth_request.text
})
dbupdate.insert_record(attack_result)
return
session_fixation(url, method, temp_headers, body, scanid)
else:
result = False
if result is False:
# Marking it as vulnerable if there has no authentication header present in HTTP request
brokenauth_request = req.api_request(url, method, headers, body)
attack_result.update({
"id": 4,
"scanid": scanid,
"url": url,
"alert": "Broken Authentication and session management",
"impact": "High",
"req_headers": headers,
"req_body": body,
"res_headers": brokenauth_request.headers,
"res_body": brokenauth_request.text
})
dbupdate.insert_record(attack_result)
# Test for session fixation
session_fixation(url, method, updated_headers, body, scanid)
return
except:
print "Failed to test Broken authentication and session management"
def delete_task(task_id):
# Delete the task once the scan is completed
delete_task_url = base_url + "/task/" + task_id + "/delete"
delete_task_req = req.api_request(delete_task_url, "GET", api_header)
if delete_task_req.status_code == 200:
return json.loads(delete_task_req.text)['success']